|
|
Fall 2005 |
 |
|
P r i v a c y
Privacy law and
health records
|
|
|
The Provider's
Edge Photo |
|
|
|
|
It is not clear how
Canada’s new privacy regime will ultimately impact health care, but it
is something physicians should consider now.
|
|
|
|
by Ed Brown |
|
The
Personal Information Protection and Electronics Document Act
(PIPEDA) has been generally in force since the beginning of
2004 for those provinces without similar privacy legislation. Those
engaged in commercial activity involving personal information must
publish a privacy policy, including a designated privacy officer, a
complaints process, and individual access, security and
accountability mechanisms, among other things. These rules center on
the right of an individual to withhold consent for the collection,
use and disclosure of their personal information. The Office of the
Privacy Commissioner of Canada takes the view that “core activities”
of publicly-funded hospitals are not subject to the PIPEDA, but
physicians’ activities in private practice are. Presumably, a
private practitioner disclosing information (even to hospital staff)
would require patient consent.
The CMA adopted its
Health Information Privacy Code** in anticipation of this
legislation, creating specific guidelines for health care practices and
trying to integrate the doctor's obligation to share information,
traditional patient confidentiality, and the new legislation. For
example, the CMA Code assumes implied consent by the patient for such
things as case consultation and laboratory work. More recently, the
Privacy Commissioner has articulated a similar
“circle of care” concept, which includes implied consent to some
information sharing.
Ultimately, the Commissioner's
interpretation of the legislation could be over-ruled or modified by an
appeal to the courts. As it stands, there is some uncertainty as to the
extent of the “circle of care,” exactly when a physician is acting in
private practice, and the adequacy of the
CMA’s published privacy handbook as a guide for physicians. But
leaving these concerns aside, it seems the Privacy Commissioner does not
contemplate radical changes to physicians’ interaction with their
patients. Circumspect and appropriate handling of records and posting
consent and policy notices would appear to be appropriate steps in her
view.
But I’ve been to several waiting rooms in
the past few years and have yet to see much sign of compliance with
these basics. I also doubt that many would know how to respond if I
informed the clinic I was withholding my consent to disclose
information, or asked to speak with their privacy officer. This is not
really surprising, given the administrative overhead involved, and given
that the system is complaints-driven. Only if the Commissioner receives
a complaint is there likely to be an investigation, and even then she is
limited to organizational recommendations: she cannot apply penalties.
That doesn't mean you should ignore the rules: imagine the professional
embarrassment of an adjudicative finding that says you’re mishandling
personal information. (Besides, physicians are subject to other relevant
law, including breach of confidence).
A broader concern for physicians as a
group may be impending changes related to electronic health care
records. With efforts such as Health Canada's Infoway project, privacy
compliance is being designed and built into information networks and
services that will determine how you access health care records in the
future. For example, many electronic systems store the records on the
software provider’s server. With high-speed networks, the records are
instantly available, but the clinic doesn't have to manage the database
technology. At least one clinic in this province uses this type of
service. It requires nominal disclosure of the records to the service
provider, in possible conflict with privacy rules. The resolution of
such issues will determine how new technologies will affect health care
procedures and what new obligations fall on the practitioner.
It is not clear how Canada’s new privacy
regime will ultimately impact health care, but it is something
physicians should consider now.
Ed
Brown is a faculty member in the Computer Science Department of
Memorial University and a member of the Bar of Newfoundland and
Labrador. He has interests in both law and technology related to
privacy.
|
